Re: Questions on Sysloging with a DMZ
> logging console > > should get what you need on a cisco. Might have to set that serial port > to no password, which brings up an additional home if physical security > is a concern. > > --Rich What about the cisco that's 35 miles away? I'm thinking with what these cisco's do, and actually log, that there's no much point in having the syslog on them, actually. Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions on Sysloging with a DMZ
Mike Dresser wrote: > > I was thinking of using a digiboard on the syslog machine, and connecting > a serial link to each server. However, that doesn't help me on stuff like > cisco's and jetdirect boxes that can only output syslog over ethernet. logging console should get what you need on a cisco. Might have to set that serial port to no password, which brings up an additional home if physical security is a concern. --Rich _ Rich Puhek ETN Systems Inc. _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions on Sysloging with a DMZ
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Jun 14, 2002 at 10:13:09AM -0400, Mike Dresser wrote: > I've done some looking around on the web, and haven't really found an > answer to the following question. > > How do you securely handle syslogging when you have servers in the DMZ, > and then the servers that are inside on the internal network? Seems that > the fundamental rule is never allow internal lan access from an external > or dmz host. But if that rule is followed, that means the syslog server > ends up in the DMZ, and that seems just as wrong. > > Dual firewall setup: > > Internet -- Firewall1 -- Firewall2 -- LAN > | > DMZ (connected to NIC on firewall1) > > Lets say I have 4 servers in the DMZ, and 3 on the lan. Do I build two > syslog servers, one attached to each network? > > I was thinking of using a digiboard on the syslog machine, and connecting > a serial link to each server. However, that doesn't help me on stuff like > cisco's and jetdirect boxes that can only output syslog over ethernet. > > I was also considering maintenance, if I used serial links over another > digiboard plugged into a secured internal lan machine, that would remove > the requirement for ssh on the servers, just login to the maintenance > machine, and then connect to the appropriate server via the serial link. > Make sense/practical/secure? > > And one last question. It's generally considered ok to go from internal > lan to DMZ server with limited access, correct? Like say my internal mail > server polling the DMZ mail server for mail. Or alternatively, the APC > network card notifying servers inside and outside the dmz that the > batteries are almost dead, shut down. > > Ideas/comments/flames/amazon.com_links_to_RTFM? For what it's worth, we keep 1 syslog server in our DMZ with a very tight configuration (we also have another syslog server in our internal lan). The only listening service is syslog and even that is limited to our servers. A better solution would be to use ipsec / freeswan, but I have yet to learn that. good luck, donfede -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9ChFeSeRbV/op2s4RAiqeAJ4g7B9GH/vKdqzwJyJuxP9el35jygCfRwDJ Ek2LXluo0VsBIt201tgMOhY= =AH+q -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Questions on Sysloging with a DMZ
I've done some looking around on the web, and haven't really found an answer to the following question. How do you securely handle syslogging when you have servers in the DMZ, and then the servers that are inside on the internal network? Seems that the fundamental rule is never allow internal lan access from an external or dmz host. But if that rule is followed, that means the syslog server ends up in the DMZ, and that seems just as wrong. Dual firewall setup: Internet -- Firewall1 -- Firewall2 -- LAN | DMZ (connected to NIC on firewall1) Lets say I have 4 servers in the DMZ, and 3 on the lan. Do I build two syslog servers, one attached to each network? I was thinking of using a digiboard on the syslog machine, and connecting a serial link to each server. However, that doesn't help me on stuff like cisco's and jetdirect boxes that can only output syslog over ethernet. I was also considering maintenance, if I used serial links over another digiboard plugged into a secured internal lan machine, that would remove the requirement for ssh on the servers, just login to the maintenance machine, and then connect to the appropriate server via the serial link. Make sense/practical/secure? And one last question. It's generally considered ok to go from internal lan to DMZ server with limited access, correct? Like say my internal mail server polling the DMZ mail server for mail. Or alternatively, the APC network card notifying servers inside and outside the dmz that the batteries are almost dead, shut down. Ideas/comments/flames/amazon.com_links_to_RTFM? Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]